The Finocchiaro Law Firm's blog

More than a half century ago, Bob Dylan’s “A hard rain’s a-gonna fall” reflected a dark and turbulent world facing a potential nuclear attack, the rising threat of environmental pollution, a rapid shifting of the international order, a growing divisiveness within society and the dawning of new socio-political paradigms and power centers. Does this sound like today? Or is the falling rain the source of new opportunities?

Nomisma asked prominent experts from around the world to share their views on major trends which will affect the global agenda in the next year. Giusella Finocchiaro is the author of the chapter regarding Internet Law in 2018. All contributions are collected in a book edited by Andrea Goldstein and Julia K. Culver.

We present here an interview published in december 2015 on the CINECA Consortium Magazine.

Do the legal principles covering the Net derive from general legal principles of from made-to-measure laws?

The general legal principles are always the same, of course. There would be no sense in trying to find a made-to-measure solution and a made-to-measure law for each specific problem, without due consideration for the overlying framework. It’s not always true, therefore, that, in order to regulate new technologies, new laws have to be made.

We need to get away, too, from the common idea that technology runs ahead while the law limps along behind. The reality is quite different. Take the laws on electronic signatures, for example. In Italy, the law arrived ahead of technology and even ahead of the need.

The principle has recently been affirmed according to which the law should be technologically neutral. On the basis of this principle, the legislator should not condition the market by favouring one technology over another, nor should he condition the development of technology. This approach is “functional” in the sense that it regulates, not the object, but the function. We must avoid constraining any specific form of technological or commercial development. Rather, we need to set out general principles that will remain unvaried for a certain period of time, and will not be constrained by changing technologies.

Apart from the electronic signature, another emblematic case is that of laws for the protection of consumers over remote sales contracts. What is involved, clearly, is a way of selling, not a specific technology. As far as the law is concerned, therefore, it is not important to make a distinction between purchases made using, for example, an App, or those made through a traditional website.

Speaking of users’ rights, the privacy and copyright laws are well known, but people are also invoking the right to be forgotten. What is this about?

The right to be forgotten is not a right in itself but it is nevertheless a restatement of other rights that are recognized by the law. Traditionally, the right to be forgotten describes a person’s right not to have republished information, even if it was legitimately published at the time, relating to events that happened a considerable length of time ago.

In Internet, obviously, the time involved is not that between publication and republication of the information, but the time that has lapsed since the item was published. The time factor regards, not just news items, but events which took place a long time ago, though for which this fact is not evident because no time context is given. In these cases, jurisprudence has suggested there may be an infringement of an individual’s right to his or her personal identity.

The problem is to ensure that the proper weight is given to the information, in order to avoid the person’s identity being distorted by the Net. As we saw from a decision by the Supreme Court, no. 5525 of 5 April 2012, this goal can be achieved by placing the information in context. It is not a right to be forgotten, then, but a right to a proper context.

The underlying theme, but one that emerges strongly, is that of the protection of an individual’s identity, in all its multiple forms.

What is at issue, then, is not the question of a specific news item about a specific individual and a specific event that can be retrieved through Google, but the protection of a person’s identity in the Internet, which is often perceived as a sole archive. It is not a sole archive, but it is a major source of information and sometimes the only one accessible.

“The Law in the Net”, but also “The Net in the Law”: how has Internet affected or modified the principles of “Jus Commune”?

Generally speaking, the principles of “Jus Commune” remain as before, but it cannot be denied that the advent of new technologies has brought fresh challenges for legal scholars.

What we have said about the right to be forgotten is a good example. In the real, physical world, the key element of this is the concept of “republication”. With Internet, on the other hand, the issue is the time the information stays available. Here it is not a question of drawing public attention back to a past event. The point is that, potentially, the past event has always remained there. So in this case the need that the law has to satisfy is a different one. It is no longer a question of republishing or not, it is a question of how a publication, that was maybe made quite legitimately many years earlier, is to be presented now.

A Net without borders: how have international regulations been affected by Internet?

The same general considerations apply. It is clear that the advent of Internet has drawn international attention to the need to regulate certain situations. I am thinking first of all of regulations aimed at encouraging the use of Internet as a trading tool and, as a consequence, the regulations set up for the protection of consumers.

A separate chapter belongs to the international conventions created to facilitate cooperation between the forces of law and order in relation to crimes committed via computer systems. I am thinking, for example, of the Budapest Convention of the European Council of 23 November 2001 on cybercrime.

Which judge has jurisdiction over disputes in Internet?

It depends on the nature of the dispute. The same procedural rules apply as in the real, physical world. The problem with internet is that the proper jurisdiction is not always easy to identify.

You are a teacher at Bologna University. How, in your opinion, has Internet revolutionized the world of the university? Is it simply a question of having new tools available for the administration and for the students, or is there more to it than that? Has there been a change of mentality, for example?

There are pros and cons to using Internet, in the university world like any other. Clearly, immediate access to a wider range of information has speeded up research processes. There is wider access to study texts. But it has to be said that the information stored on the Internet is disorderly. All the information on the net appears at the same level. From an academic point of view, research via the Internet poses problems for students, who are not always able to assess the reliability of the sources they are consulting. Consultation of texts in the library, on the other hand, allows more control over the information. It makes it easier to distinguish between original and secondary sources.

Turning now to the changes that Internet has brought to administrative aspects, we have to remember that publicity, that is to say the means of spreading awareness of information, is not the same on and off the net. On the Internet, anyone can access it without limits, unless restrictions to access have been expressly placed – reserved areas, passwords and so on. There are also no temporal limits. So publication online and publication offline are, legally, two very different things. Bologna University has adopted an innovative regulation on the publication of its official acts. The time of publication is limited to three years, and the regulations also cover the means of access and the essential nature of the content that is to be published. Transparency doesn’t mean publishing everything on Internet. Let’s remember that it’s a storehouse, not a structured archive of knowledge.

You were among the first in Italy to deal with these questions. Today you are a leading international expert, with major appointments and awards. What attracted you in the first place, and how would you sum up this experience today?

I must say that, from my professional viewpoint, I always prefer not to draw up a balance of what has been done. I prefer to look ahead to the things I still have to do. I always hope to make further improvements. I can certainly say that I am satisfied with having chosen to study a branch of law that is a continual source of new stimuli.

In the first place, I was pushed by curiosity for a new aspect of law. I was also fired by a passion for technical innovation. I therefore discovered, in my specialized field, a fascinating aspect of the legal profession: creativity in law. I believe, therefore, that I have been very lucky, not least because I have always found motivation and interest for my work. Nevertheless, however satisfied I may be, I am very much aware that a lot of new challenges lie ahead.

As previously mentioned in this blog, the 49th Working Group session on electronic commerce of the United Nations Committee on international trade law was held in New York from the 28th April to the 2nd May 2014.

At the start of the session Giusella Finocchiaro, the Italian Uncitral representative for electronic commerce was unanimously elected as chairperson.

The WG is working on a detailed document on Electronic Transferable Records, which could form the new law model. This work is drawing to a conclusion.

The basic principles that motivated the WG have been reaffirmed; namely those of technological neutrality and non-discrimination between paper and electronic documents, keeping any impact on national law regulations to a minimum.

The 50th session of the WG will be held in Vienna from the10th to the 14th November 2014.

On the 22nd of April 2014 the Marco Civil, the Brazilian “Internet Constitution”, was granted final approval by the Brazilian Senate. The law, which regulates the rights and obligations of network users, was signed by President Dilma Rousseff at the opening of the “NetMundial” conference, a two day event dedicated to worldwide network governance.

After a work project lasting five years the regulations protecting privacy, freedom of expression and net neutrality were approved in Sao Paolo. With specific regard to net neutrality, the Brazilian Internet Constitution is considered by civil liberty activists as a revolutionary document in Internet history. The regulations will in fact prevent telecommunication companies from setting up preferential channels to band access as a prerogative of some services and to the detriment of others, as is an emerging trend in the business strategies of connectivity providers worldwide.

The law process speeded up after Edward Snowden’s revelations from which it emerged that the United States were monitoring President Rousseff’s communications.

However, as regards datagate, the Brazilian law proves to be less effective on comparison with its first formulation.

In fact one of the most contested innovations contained in the bill, namely the idea of preventing the storage of Brazilian citizens’ data on servers located abroad, was deleted from the main body of the regulation before Senate approval.

By virtue of the removal of the above mentioned proposal, another article of the regulations has been strengthened, which provides that companies that collect user data generated in Brazil must submit to the Brazilian government regulations on Data Protection, regardless of the location of the servers where the information is stored.

The Marco Civil also contains provisions against the attribution of liability to intermediaries, formalizing that providers are not responsible for the content published online by users, a hotly contested topic for years in Europe but on which Brazil had not yet legislated.

Under the new legislation, service providers will only be liable for third party content if they fail to ensure the removal of material pursuant to a court order.

As we have read in the press, the moment of the President’s signature was accompanied by applause and clamour from the NetMundial audience which was made up of experts and representatives of the major worldwide network companies.

In a speech which briefly preceded Rouseff’s signature, Tim Berners-Lee, the inventor of the World Wide Web, expressed the hope that other governments would follow Brazil’s example and join together in signing the paper described as a wonderful example of how governments can play a positive role in the advancement of civil rights on the Internet and in maintaining an open network.

Following the President’s speech, the European Commissioner Neelie Kroes also expressed her enthusiasm and defined the Marco Civil as “real cause for celebration”.

The Italian press have recently reported on the first case of fraud in Italy through the unlawful use of a digital signature.

According to reports, a Rome businessman discovered through a check carried out at the Chamber of Commerce in 2011 that all his company’s shares had been registered without his knowledge to a man by name of David Henry Antinucci, who in this way had become the sole member of the company and had also appointed himself sole director, with the authority to transfer the company’s headquarters.

With the appointment of the new sole director, the deeds of conveyance had been transmitted to the Chamber of Commerce via the Internet by an accountant’s office by means of the activation of an electronic smart card with a digital signature, which is obligatory for company communications with the Italian Register of companies. In this case the smart card had been registered in the Rome businessman’s name but had not been requested by him.

The probe conducted by the IT investigation section of the Special Telematic Fraud Unit of the Italian Financial and Tax Police has led to the identification of three suspects, including Antinucci, who now face prosecution for personation, false statements or proof given to the electronic signature authenticator regarding their own and other people’s identities and capacities in addition to forgery of public documents, private documents and electronic documents.

According to the investigation, Antinucci was aided and abetted in the fraud by the owner of a business consultancy firm who appears to have been a total tax evader for 16 years. The two men are alleged to have used a photocopy of the businessman’s ID card to activate two smart cards at a certification services agency after filling out the appropriate form.

The owner of the agency declared that he had had direct contact with the two men to issue the smart cards and that they had informed him that the businessman would not be present to sign the smart cards in person as he was abroad on business. The accountant who forwarded the requests to the Chamber of Commerce said he had worked in good faith on the documentation he had been sent by the owner of the agency and had not checked it further.

From what we read in the press, the judges are convinced that neither the agency owner nor the accountant are criminally involved in the scam, although they are guilty of carelessness when initiating the procedure.

However, the accountant has been reported for violation of the rules of discipline to his professional association for failing to verify the authenticity of the signatures which were not added in his presence when transferring the shares.

In the light of this reconstruction, we can say with some certainty that this case arouses a certain level of interest not only because of the novelty of the method apparently used for the fraud but also for the different positions of responsibility which emerge in relation to the various individuals involved in the case.

DigitPA has issued circular no.59 of the 29th December 2011, published only a few days ago in the Official Journal (no.32, February 8, 2012), which sets out the procedures for entities who wish to apply for accreditation as electronic document custodians.

Up until now, in fact, the regulations applied mainly to the activity of custodians and the publication of ad hoc rules has been long awaited. In summary, there are different requirements that aspiring custodians, whether public or private bodies must comply with. Among these is the requirement to demonstrate their reliability in organizational, technical and financial areas, in addition to which all personnel involved in the conservation process must be in possession of specific knowledge and skills. It is also required that special insurance policies be drawn up to cover the possible risks arising from storage.

For those who intend to submit an application for accreditation, however, the process is not yet complete: the issuing of technical regulations governing the storage system provided by the CAD is still awaited. Currently it is therefore possible to submit an application and documentation, but the investigation will remain suspended until the publication of technical regulations

Although the news has not attracted particular media response, the draft of the so-called Development Decree which has been circulating in the last few days would also have an impact on the protection of personal data.

Among other things art. 94 of the decree provides for nothing less than a change in the concept of personal data, adding a significant limitation on legal persons. In fact personal data would now come to mean “any information concerning a natural person and only regarding the electronic communications sector, any information concerning a legal person, body or association subscribing to an electronic communications service available to the public, provided that those persons can be identified or are identifiable even indirectly, by reference to any other information, including a personal identification number. “

Therefore the concept of interested party would also be changed. It would identify the natural person and the legal person, body or association subscribing to an electronic communications service available to the public, limited to the processing of personal data in the field of electronic communications.

Besides the debatable wording of the rule, which raises doubts about its interpretation, the theoretical framework and consequently the practical concept of personal data has been radically changed.

The innovations do not stop here, although the following are less significant.

In fact, there are also new provisions for digital prescriptions and electronic health records (Articles 129 and 130), and from 1 January 2013 school reports and certificates will be issued in an electronic format and made available on the web, by email or other digital formats (Art. 132) Leave certificates for employees whose children are off school ill will also be online (art. 131). As for transport, tickets for buses, trams or other local forms of transportation will be issued in an electronic format (Art. 137).

Finally, the draft decree contains regulations for the increase in the use of Certified email (Article 134), which must be adopted by all companies, not just those constituted in a corporate form. With regard to professionals already affected by this obligation, professional registers are also expected to publish “in any and every case” the certified email addresses of their members.

These predictions are not in fact final and we will follow their procedures and practical implications, which do however, arouse immediate interest and will soon be the subject of lively debate.

The Italian Privacy Authority has decided to open an inquiry in order to shed light on the procedure of location-tracking and user location data storing on 3G iPhones and iPads running iOS4.

Two researchers from the technology magazine O’Reilly have recently discovered the existence of a file by name of “consolidated.db” which registers and stores the connections of iPhones and iPads to cell towers.

This file is present on every iPhone, iPad and on any devices synched with them but it may well not be easily accessible to third parties. In fact it is necessary to have physical access to devices or to computers, or alternatively remote access to user accounts in order to open it.

The security and privacy implications are clear. Through the reading of this file it is possible to see every movement each smartphone has made since its set up. In addition to this, the file is easily readable since it has no password or encryption.

The discovery of this file has disconcerted many Internet bloggers including many long-term fans of Apple’s products.

The Italian Privacy Authority has declared its intention to ask Apple for clarifications and to proceed with a number of technical verifications, while also keeping in contact with other European Authorities, which have already started their inquiries into this matter.

The recent firing of a British employee who seems to have lost her job for posting a complaint on her Facebook profile about her salary, leads us to thinking again about the question of the uses employees make of technological resources in Italy. Here we are talking about Facebook only because it is the most widespread social network.

Obviously rules can be found elsewhere, for example in the contract. In this case work tools are only supposed to be entrusted to the employee for professional use.

4) Could professional policies provide for the use of Facebook for personal reasons?

Generally, yes. An employer’s choices can vary widely. The employer may also exercise a choice of leniency.

5) What if the employer is a public body?

In such cases the matter is rather more delicate. We have to remember that the criminal code punishes the crime of embezzlement.

6) Are workers in any way limited when they express thoughts on Facebook regarding their work or employer?

They are limited by norms of a general nature which might be applied in the same way to Facebook as to any other circumstances, and which could be, for example, the duty of professional loyalty, the principle of fairness, the obligation of non-competition, the norms of personal data protection, and also the respect of honour and of other people’s reputations.

7) Are employers allowed to use information about their workers found on Facebook?

If it is found through legal channels through Facebook’s particular chain of consent, then yes.

8) Should information found on Facebook be considered as private?

It depends on the meaning of “private”. Public information on Facebook is directly or indirectly visible to authorized individuals (for example, friends, friends of friends) and so potentially posted to many individuals.

9) Can information on Facebook only be used for certain purposes (e.g. personal) and not for others (e.g professional)?

Only if this limitation is expressly stated. At the moment it is not possible.

10) Do we need an ad hoc law?

Germany is thinking in this direction. Personally I am still against special laws for every technological innovation. What we need is greater awareness.

The widespread use of broadband connection wireless devices, from smartphones to Internet keys, has highlighted the ISPs’ need to turn to rational data traffic management techniques to solve problems of congestion on mobile networks.

In fact, the level of network congestion is constantly rising. In the first quarter of 2010, 3G data traffic reached a level of 24,743 terabytes, which was 101% more than the same period the previous year.

Clearly the quantity of network resources used by each customer varies in relation to the different services offered by each particular mobile network. Of the various applications, file sharing with p2p technology and VoIP calls, such as for example those made with Skype, have been identified as those activities which make the greatest drain on network resources.

Therefore to avoid network congestion, several mobile operators have introduced new techniques aimed at limiting access to P2P and VoIP services to their own customers who are obliged to pay for these particular services, whereas other operators still allow their customers free access to these services. These different approaches have modified the traditional ecosystem of the network, effectively creating preferential access to the resources and modifying the main economic players’ traditional ways of interacting.

The Italian Communication Regulatory Authority (AGCOM) has recently published an investigationinto these aspects, which in line with what has already been produced by other national Regulatory Authorities, analyzes different aspects of traffic management from the view point of safeguarding competition and the consumer and of the principles of neutrality and freedom of the network.

In the last few days public consultation of the AGCOM investigation has started with the aim of obtaining further evaluations and information from stakeholders regarding the new technical and commercial approaches which affect the principle of net neutrality, the organizational make up of the sector, safeguards for consumer protection and, more generally, possible future regulatory actions.

Among the aspects which have already emerged as priorities in the international debate are transparency of information and the definition of instruments for safeguarding the consumer, who must be able to make his choices in full awareness when using VoIP and P2P mobile services and more in general, when using new mobile services.

However, it has also emerged from the investigation that operators also have potential problems with VoIP. In fact VoIP mobile uses Internet Protocol which makes it possible to make voice calls through terminals where software provided by the net operators has been installed (so-called VoIP managed), or which has been provided by independent content providers (so-called VoIP unmanaged), such as Skype for example.

Yet, the entry of third party content providers risks having a negative impact on operators’ turnover in that the availability of mobile VoIP services allows the end user to substitute traditional voice and text services with data networks.

AGCOM aims to identify the forms and methods that regulatory actions might take through the use of public consultation, in compliance with the principle of adequacy, necessity and the close connection between the action and the final aims.